CVE-2024-58340

HIGH

langchain/langchain <= 0.3.1 - Regular Expression Denial-of-Service in MRKLOutputParser.parse()

Title source: llm
STIX 2.1

Description

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.

References (4)

Core 4
Core References
Exploit, Issue Tracking, Third Party Advisory technical-description exploit
https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb
Product product
https://www.langchain.com/

Scores

CVSS v3 7.5
EPSS 0.0041
EPSS Percentile 32.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-1333
Status published
Products (1)
langchain/langchain < 0.3.1
Published Jan 12, 2026
Tracked Since Feb 18, 2026